Private Investigator at Work
Three calls were made by the same person: a private investigator we'll call Oscar Grace. Grace had a new client, one of his first. A lady planning on asking for a divorce from her husband but had a problem with their money and savings being moved to an unknown account. Mr Grace had to find out whereto.
The First Call: Kim Andrews
"National Bank, this is Kim. Did you want to open an account today?"
"Hi, Kim. I have a question for you. Do you guys use CreditChex?"
"Yes."
"When you phone in to CreditChex, what do you call the number you give them--is it a 'Merchant ID'?"
A pause; she was weighing the question, wondering what this was about and
whether she should answer. The caller quickly continued without missing a beat:
"Because, Kim, I'm working on a book. It deals with private investigations."
"Yes," she said, answering the question with new confidence, pleased to be helping a writer.
"So it's called a Merchant ID, right?"
"Uh huh."
"Okay, great. Because I wanted to make sure I had the lingo right. For the book. Thanks for your help. Good-bye, Kim."
The Second Call: Chris Talbert
"National Bank, New Accounts, this is Chris."
"Hi, Chris. This is Alex," the caller said. "I'm a customer service rep with CreditChex. We're doing a survey to improve our services. Can you spare me a couple of minutes?"
She was glad to, and the caller went on:
"Okay - what are the hours your branch is open for business?" She answered, and continued answering his string of questions.
"How many employees at your branch use our service?"
"How often do you call us with an inquiry?"
"Which of our 800-numbers have we assigned you for calling us?"
"Have our representatives always been courteous?"
"How's our response time?"
"How long have you been with the bank?"
"What Merchant ID are you currently using?"
"Have you ever found any inaccuracies with the information we've provided you?"
"If you had any suggestions for improving our service, what would they be?"
And:
"Would you be willing to fill out periodic questionnaires if we send them to your branch?"
She agreed, they chatted a bit, the caller rang off, and Chris went back to work.
The Third Call: Henry McKinsey
"CreditChex, this is Henry McKinsey, how can I help you?"
The caller said he was from National Bank. He gave the proper Merchant ID and then gave the name and social security number of the person he was looking for information on. Henry asked for the birth date, and the caller gave that, too. After a few moments, Henry read the listing from his computer screen.
"Wells Fargo reported NSF in 1998, one time, amount of $2,066." NSF – non sufficient funds - is the familiar banking lingo for checks that have been written when there isn't enough money in the account to cover them.
"Any activities since then?"
"No activities."
"Have there been any other inquiries?"
"Let's see. Okay, two of them, both last month. Third United Credit Union of Chicago." He stumbled over the next name, Schenectady Mutual Investments, and had to spell it. "That's in New York State," he added.
Countermeasures against Social Engineering
Three calls were made by the same person: a private investigator we'll call Oscar Grace. Grace had a new client, one of his first. A lady planning on asking for a divorce from her husband but had a problem with their money and savings being moved to an unknown account. Mr Grace had to find out whereto.
The First Call: Kim Andrews
"National Bank, this is Kim. Did you want to open an account today?"
"Hi, Kim. I have a question for you. Do you guys use CreditChex?"
"Yes."
"When you phone in to CreditChex, what do you call the number you give them--is it a 'Merchant ID'?"
A pause; she was weighing the question, wondering what this was about and
whether she should answer. The caller quickly continued without missing a beat:
"Because, Kim, I'm working on a book. It deals with private investigations."
"Yes," she said, answering the question with new confidence, pleased to be helping a writer.
"So it's called a Merchant ID, right?"
"Uh huh."
"Okay, great. Because I wanted to make sure I had the lingo right. For the book. Thanks for your help. Good-bye, Kim."
The Second Call: Chris Talbert
"National Bank, New Accounts, this is Chris."
"Hi, Chris. This is Alex," the caller said. "I'm a customer service rep with CreditChex. We're doing a survey to improve our services. Can you spare me a couple of minutes?"
She was glad to, and the caller went on:
"Okay - what are the hours your branch is open for business?" She answered, and continued answering his string of questions.
"How many employees at your branch use our service?"
"How often do you call us with an inquiry?"
"Which of our 800-numbers have we assigned you for calling us?"
"Have our representatives always been courteous?"
"How's our response time?"
"How long have you been with the bank?"
"What Merchant ID are you currently using?"
"Have you ever found any inaccuracies with the information we've provided you?"
"If you had any suggestions for improving our service, what would they be?"
And:
"Would you be willing to fill out periodic questionnaires if we send them to your branch?"
She agreed, they chatted a bit, the caller rang off, and Chris went back to work.
The Third Call: Henry McKinsey
"CreditChex, this is Henry McKinsey, how can I help you?"
The caller said he was from National Bank. He gave the proper Merchant ID and then gave the name and social security number of the person he was looking for information on. Henry asked for the birth date, and the caller gave that, too. After a few moments, Henry read the listing from his computer screen.
"Wells Fargo reported NSF in 1998, one time, amount of $2,066." NSF – non sufficient funds - is the familiar banking lingo for checks that have been written when there isn't enough money in the account to cover them.
"Any activities since then?"
"No activities."
"Have there been any other inquiries?"
"Let's see. Okay, two of them, both last month. Third United Credit Union of Chicago." He stumbled over the next name, Schenectady Mutual Investments, and had to spell it. "That's in New York State," he added.
Countermeasures against Social Engineering
Kevin Mitnick, in his book 'The Art of Intrusion', gives a list of countermeasures against social engineering attacks inside the company. It is important to motivate the employees to adhere to the protocols. A series of coordinated efforts include:
- Developing clear, concise security protocols that are enforced consistently throughout the organization
- Developing security awareness training
- Developing simple rules defining what information is sensitive
- Developing a simple rule that says that whenever a requestor is asking for a restricted action (that is, an action that involves interaction with computer-related equipment where the consequences are not known), the requestor’s identity must be verified according to company policy
- Developing a data classification policy
- Training employees on ways to resist social engineering attacks
- Testing your employee’s susceptibility to social engineering attacks by conducting a security assessment
- Aim to establish a sense in the trainees that they will feel foolish if manipulated by a social engineering attack after the training.
- Modify organization politeness norms — It’s okay to say “no”!
No comments:
Post a Comment